dynamic-stack-buffer-overflow in udp_send

[renatahodovan]

IoT.js version:

Checked revision: bc9a5da

Build command: CC=clang-7 \
tools/build.py --clean \
--buildtype=debug \
--compile-flag="-D'IOTJS_ASSERT(x)=assert(x)'" \
--compile-flag=-O2 --compile-flag=-fno-common --no-snapshot \
--compile-flag=-fsanitize=address --compile-flag=-fno-omit-frame-pointer \
--jerry-cmake-param=-DFEATURE_SYSTEM_ALLOCATOR=ON --target-arch=i686 \
--profile=test/profiles/host-linux.profile --jerry-profile=es2015-subset \
--jerry-cmake-param=-DEXTERNAL_COMPILE_FLAGS=-Wno-conversion

OS:

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Test case:

var dgram = require('dgram')
dgram.createSocket('udp4')._handle.send(this, 1, '')

Backtrace:

=================================================================
==7477==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0xffb3beac at pc 0x0818e4b0 bp 0xffb3bc48 sp 0xffb3bc40
READ of size 4 at 0xffb3beac thread T0
    #0 0x818e4af in udp_send iotjs/src/modules/iotjs_module_udp.c:186:3
    #1 0x81b60dc in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:815:32
    #2 0x8277fc8 in opfunc_call iotjs/deps/jerry/jerry-core/vm/vm.c:565:24
    #3 0x8277fc8 in vm_execute iotjs/deps/jerry/jerry-core/vm/vm.c:3478
    #4 0x82187ac in vm_run iotjs/deps/jerry/jerry-core/vm/vm.c:3611:10
    #5 0x81b6442 in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792:32
    #6 0x81eaa80 in ecma_builtin_function_prototype_dispatch_routine iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c
    #7 0x820b10a in ecma_builtin_dispatch_routine iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016:10
    #8 0x820b10a in ecma_builtin_dispatch_call iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
    #9 0x81b6470 in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:716:16
    #10 0x8277fc8 in opfunc_call iotjs/deps/jerry/jerry-core/vm/vm.c:565:24
    #11 0x8277fc8 in vm_execute iotjs/deps/jerry/jerry-core/vm/vm.c:3478
    #12 0x82187ac in vm_run iotjs/deps/jerry/jerry-core/vm/vm.c:3611:10
    #13 0x81b6442 in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792:32
    #14 0x8277fc8 in opfunc_call iotjs/deps/jerry/jerry-core/vm/vm.c:565:24
    #15 0x8277fc8 in vm_execute iotjs/deps/jerry/jerry-core/vm/vm.c:3478
    #16 0x82187ac in vm_run iotjs/deps/jerry/jerry-core/vm/vm.c:3611:10
    #17 0x81b6442 in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792:32
    #18 0x8277fc8 in opfunc_call iotjs/deps/jerry/jerry-core/vm/vm.c:565:24
    #19 0x8277fc8 in vm_execute iotjs/deps/jerry/jerry-core/vm/vm.c:3478
    #20 0x82187ac in vm_run iotjs/deps/jerry/jerry-core/vm/vm.c:3611:10
    #21 0x81b6442 in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792:32
    #22 0x8277fc8 in opfunc_call iotjs/deps/jerry/jerry-core/vm/vm.c:565:24
    #23 0x8277fc8 in vm_execute iotjs/deps/jerry/jerry-core/vm/vm.c:3478
    #24 0x82187ac in vm_run iotjs/deps/jerry/jerry-core/vm/vm.c:3611:10
    #25 0x81b63ef in ecma_op_function_call iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792:32
    #26 0x8277fc8 in opfunc_call iotjs/deps/jerry/jerry-core/vm/vm.c:565:24
    #27 0x8277fc8 in vm_execute iotjs/deps/jerry/jerry-core/vm/vm.c:3478
    #28 0x82187ac in vm_run iotjs/deps/jerry/jerry-core/vm/vm.c:3611:10
    #29 0x8199d85 in vm_run_global iotjs/deps/jerry/jerry-core/vm/vm.c:266:10
    #30 0x8199d85 in jerry_run iotjs/deps/jerry/jerry-core/api/jerry.c:550
    #31 0x81569df in iotjs_jhelper_eval iotjs/src/iotjs_binding.c:379:12
    #32 0x8155155 in iotjs_run iotjs/src/iotjs.c:175:25
    #33 0x81552e9 in iotjs_start iotjs/src/iotjs.c:224:3
    #34 0x81552e9 in iotjs_entry iotjs/src/iotjs.c:312
    #35 0xf7be6750 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1e750)
    #36 0x8080871 in _start (iotjs/build/i686-linux/debug/bin/iotjs+0x8080871)

Address 0xffb3beac is located in stack of thread T0 at offset 588 in frame
    #0 0x818dfaf in udp_send iotjs/src/modules/iotjs_module_udp.c:183

  This frame has 4 object(s):
    [16, 20) 'udp_handle' (line 184)
    [32, 40) 'address' (line 191)
    [64, 72) 'buf' (line 201)
    [96, 124) 'addr' (line 205) <== Memory access at offset 588 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow iotjs/src/modules/iotjs_module_udp.c:186:3 in udp_send
Shadow bytes around the buggy address:
  0x3ff67780: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 04 f2
  0x3ff67790: f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8 f3 f3 f3 f3
  0x3ff677a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff677b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff677c0: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
=>0x3ff677d0: 00 00 00 00 00[04]cb cb cb cb cb cb f1 f1 f8 f2
  0x3ff677e0: f2 f2 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00
  0x3ff677f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff67800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff67810: f1 f1 f8 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x3ff67820: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7477==ABORTING

^{Found by Fuzzinator.}